doc update

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
author: Nikos Mavrogiannopoulos <nmav@gnutls.org> 2017-05-19 17:48:43 +0200
committer: Nikos Mavrogiannopoulos <nmav@gnutls.org> 2017-05-19 17:48:47 +0200
commit: 15c8d83a5750200e9709ed2f7095704fe4e89fd7 (patch)
tree: 141f78fa3c1b873ecba87f5e3150cb43e6d698d3
parent: 1273c97343c2070a28cfa1f1dd55599ca87106e2 (diff)
download: libtasn1-15c8d83a5750200e9709ed2f7095704fe4e89fd7.tar.gz
1 files changed, 7 insertions, 0 deletions
diff --git a/NEWS b/NEWS
index 4d2eee1..5a9a572 100644
--- a/NEWS
+++ b/NEWS
@@ -8,6 +8,13 @@ GNU Libtasn1 NEWS                                     -*- outline -*-
   That is introduced in order to allow toleration of invalid times in
   X.509 certificates (which are common) even though strict DER adherence
   is enforced in other fields.
+- Added safety check in asn1_find_node(). That prevents a crash
+  when a very long variable name is provided by the developer.
+  Note that this to be exploited requires controlling the ASN.1
+  definitions used by the developer, i.e., the 'name' parameter of
+  asn1_write_value() or asn1_read_value(). The library is
+  not designed to protect against malicious manipulation of the
+  developer assigned variable names. Reported by Jakub Jirasek.
 
 * Noteworthy changes in release 4.10 (released 2017-01-16) [stable]
 - Updated gnulib
author	Nikos Mavrogiannopoulos <nmav@gnutls.org>	2017-05-19 17:48:43 +0200
committer	Nikos Mavrogiannopoulos <nmav@gnutls.org>	2017-05-19 17:48:47 +0200
commit	15c8d83a5750200e9709ed2f7095704fe4e89fd7 (patch)
tree	141f78fa3c1b873ecba87f5e3150cb43e6d698d3
parent	1273c97343c2070a28cfa1f1dd55599ca87106e2 (diff)
download	libtasn1-15c8d83a5750200e9709ed2f7095704fe4e89fd7.tar.gz